Massive firms in the spotlight for GDPR non-compliance

Privacy International today announced that it has filed complaints against seven large firms it alleges are in breach of European privacy laws. Formal complaints have been raised with data protection authorities in France, Ireland, and the UK.

According to the leading UK advocacy group, all seven firms have been flouting the EU’s GDPR legislation, which came into effect in May. The complaints are the first solid evidence that large firms may be systematically exploiting consumer data, despite the introduction of General Data Protection Regulations designed to protect them. Commenting on the accusations Privacy International said:

“Our complaints target companies that, despite exploiting the data of millions of people, are not household names and therefore rarely have their practices challenged.”

Getting away with it, 'til now

Among the GDPR rules that were introduced back in May 2018 - firms must be able to demonstrate a legal basis for the way they use people’s data. According to Privacy International (PI), it analyzed over fifty Data Subject Access Requests to uncover troublesome holes in a number of sizeable firm's practices. The research has led PI to file official complaints against the following companies:

Data brokers: Acxiom, Oracle

Ad-tech firms: Criteo, Quantcast, Tapad

Credit referencing agencies: Equifax, Experian

PI alleges that all seven of the firms are breaking the principles of transparency, fairness, lawfulness, purpose limitation, data minimization, and accuracy - all of which are a legal requirement for processing consumer data in the EU. PI feels confident that what it has uncovered is only “the tip of the iceberg.” The organization anticipates that regulators will discover “wide-scale and systematic infringements of GDPR” during the course of their investigations.

Encouraging signs

PI has already claimed a degree of success with its campaign; the UK’s Information Commissioner's Office (ICO) has issued assessment notices to Acxiom, Equifax, and Experian. Now, PI is hoping to convince the ICO to widen its investigation to include Criteo, Oracle, Quantcast, and Tapad. If PI is correct, it should be easy for data protection authorities to uncover the breadth of systematic failures alleged to be occurring.

PI has reason to believe that further investigation will reveal that some - or all of the firms in question - have neither the consent nor legitimate interest required to process the data they possess. In addition, PI alleges the firms do not have a proper legal basis for processing "special category" personal data.

“Where they claim that consent is a valid basis for processing they fail to demonstrate how it was collected and that the consent was freely given, specific, informed, and unambiguous. Where they rely on legitimate interest they have moulded this to fit their self-determined interests without demonstrating the necessity nor sufficient consideration of the impact on individuals’ rights.”

Massive fines possible

If the seven firms in question are found guilty of breaking the GDPR, they could face fines of up to €20 million - or 4% of their annual global turnover (whichever is higher).

Join the campaign

Finally, PI believes it has uncovered evidence that consumers are facing obstacles when it comes to invoking their data protection rights. This includes the rights to information (Article 13 and 14 of GDPR), to access (Article 15), to erasure (Article 17), and in relation to automated decision-making - including profiling (Article 22 GDPR).

"The data broker and ad-tech industries are premised on exploiting people's data. Most people have likely never heard of these companies, and yet they are amassing as much data about us as they can and building intricate profiles about our lives. GDPR sets clear limits on the abuse of personal data. PI's complaints set out why we consider these companies' practices are failing to meet the standard - yet we've only been able to scratch the surface with regard to their data exploitation practices. GDPR gives regulators teeth and now is the time to use them to hold these companies to account.”

Digital privacy expert with 4+ years experience testing and reviewing VPNs. He's been quoted in The Express, Barrons, the Scottish Herald, ThreatPost, CNET & many more. Ray is currently rated number 1 VPN authority by Agilience.com.